CVE-2025-58761

Name of the Vulnerable Software and Affected Versions: Tautulli versions prior to 2.16.0

Description: Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The real pms image proxy endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. The image to be fetched is specified through the img URL parameter, which can be bypassed by adjoining path traversal characters to reach files outside of intended directories. An attacker can exfiltrate files on the application file system, including the tautulli.db SQLite database and the config.ini file. Obtaining the admin password or a valid JWT token allows an unauthenticated attacker to escalate privileges to gain administrative control over the application.

Recommendations: Update Tautulli to version 2.16.0 or later.